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Qi We intend to revise the code to address the impact of changes in. i 
data protection legislation, where these changes are relevant to 
data sharing. What changes to the data protection legislation do 


you think we should focus on when updating the code? 


More focus on the application of the privacy by design/default principles 
o data sharing. 


Expansion on the mandatory requirement of DPIAs and their role in data 
haring. 


Focus on the sharing of special category data and the application of the 


provisions of the Data Protection Act 2018. 


Some detail on the removal of the ‘data controllers in common’ status and 
guidance on when a sharing should be considered as between data 
ontrollers or joint controllers. 


Q2 Apart from recent changes to data protection legislation, are there 
other developments that are having an impact on your 
organisation’s data sharing practice that you would like us to 
address in the updated code? 


Yes 
L 


No 


Q3 If yes (please specify) 
The impact of the Digital Economy Act on data sharing. 


Q4 Does the 2011 data sharing code of practice strike the right 
balance between recognising the benefits of sharing personal data 
and the need to protect it? Please give details. 


Yes 


No 


mica 


Q5 If yes in what ways does it achieve this? 


By treating them separately but equally. In terms of the priority of focus, 
he code should give guidance on how to share personal information 
legally without going into too much detail on the benefits of sharing data 


Overall it is very clearly laid out, easy to follow, and written in plain 
English which is something any update should seek to maintain (Practical 
hings, like the checklist on p.24 and section 15, and the data sharing 


emplate forms on pp.44-45, are particularly helpful.). However, the 
document is very long and it would be helpful to give consideration to a 
Summary, and/or to something like a flow chart that would make it easier 
o navigate and to ‘jump’ to relevant sections 


Q6 If no, in what ways does it fail to strike the right balance? 


® 
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Q7 What types of data sharing (eg systematic, routine sharing or 


exceptional, ad hoc requests) are covered in too much detail in the 
2011 code? 


All are dealt with more or less equally, but it would be useful if some 
practical examples/case studies could be provided. 


Q8 What types of data sharing (eg systematic, routine sharing or 
exceptional, ad hoc requests) are not covered in enough detail in 
the 2011 code? 


It would be useful if ad hoc requests could be dealt with more fully in 
scenarios where time is of the essence - what are the key things to look 
out for? 


ico. 


Information Commissioner's Office 


Q9 Is the 2011 code relevant to the types of data sharing your 
organisation is involved in? If not, which additional areas should 
we cover? 


he 2011 Code is fine, but for the new version it would be useful if 
attention could be paid to the public sector and their inability to rely on 
onsent or legitimate interests to share data. 


Information Commissioner's Office 


Q10 Please provide details of any case studies or data sharing scenarios 
that you would like to see included in the updated code? 


It would be useful to see more guidance or case studies on when the legal 

basis for processing is different to the legal basis for sharing. What action 

needs to be taken in this circumstance? And how to navigate data sharing 
hen you are Joint Data controller or an independent data controller with 

another organisation for the same data set (particularly to help unpick the 
hanges that come with GDPR removing the concept of “data controller in 
ommon”). 


It would be useful to illustrate how changes under GDPR affect sharing of 
data such as distribution lists. Previously people may have compiled a 
distribution list and shared with others, in effect collect once and use 
multiple times. It would be good to explain how data can be shared in 
ertain situations where perhaps there are perceived barriers under 
GDPR. 


It would be helpful to have case studies showing how the Digital Economy 
Act can be used in practice. 


ASPI could be used as a general sort of case study? 


he following could be addresses as a case study or scenario but could 


also be picked up in other ways in a new code: 


In relation to data sharing around individuals who pose a risk to the 
public, it is often the case that information crucial to the identification and 
management of risk is not shared between agencies, with ‘confidentiality’ 
and ‘data assurance’ cited as reasons behind the reluctance to share. 
Investigations into domestic homicides and serious further offences 
onsistently reveal that the risk posed could have been predicted (and 
mitigated) had relevant agencies shared information. While professionals 
ill understand that duty of care overrides confidentiality, this 
understanding is not broadly apparent across relevant agencies. A new 
ode should specifically address this so that a range of organisations are 
aware of when it is acceptable to share risk-related information about an 
individual and understands safe and appropriate means of doing so. 


P.13 - reference to Human Rights Act compliance - examples or case 
tudies would be useful to elucidate what this means. 


Q11 Is there anything the 2011 code does not cover that you think it 
should? Please provide details. 


ith GDPR in mind, the new code should be more closely integrated with 
he ICO’s GDPR guidance, in particular with the guidance on the lawful 
bases and exemptions. 


Q12 In what other ways do you think the 2011 code could be 
improved? 


P.15 - a fuller list/examples of ‘personal’ and ‘personal sensitive’ data 
items would be helpful here. It’s in an annex later in the document but a 
hyperlink, note or ‘box’ would be useful for cross-referencing. 


In the update it would be helpful to clearly set out what has changed 
Since the advent of GDPR, and to highlight particular ‘new’ considerations 
hat data controllers and processors should consider in reviewing their 
procedures and documentation. Another checklist for this would be good. 


References to the principles of the DPA in various places, eg p.10, p.15 - 
Ithough again there is an annex at the end of the document, ‘embedded’ 
reminders or hyperlinks to the relevant principles would be useful. 


P.18 - telling individuals about data sharing - should give more emphasis 
o using plain English, and to the needs of individuals who may have low 
ognitive or literacy skills (for example, young people and adults with 

learning difficulties). The language used in privacy notices should be 
ailored to the needs of the target audience. 


P.29-30 - information on reliable sources of training (including online) 
ould be very valuable here 


ico. 


Information Commissioner's Office 


About you: 

Q13 Are you answering these questions as? 

A public sector worker 

A private sector worker 

A third or voluntary sector worker 

A member of the public 

A representative of a trade association 
A data subject 

An ICO employee 

Other 


OUUGOO C E 


Qi4 If other please specify: 


Q15 Please provide more information about the type of organisation 
you work for, ie a bank, a housing association, a school. 


elsh Government (i.e central government, devolved administration) 


Qi6 We may want to contact you about some of the points you have 
raised. If you are happy for us to do this please provide your email 
address: 


TEE o O 


Thank you for taking the time to share your views and experience. 


